iotivity-lite icon indicating copy to clipboard operation
iotivity-lite copied to clipboard
verified publisher icon iotivity

Running GitHub jobs from forks

Open Danielius1922 opened this issue 3 years ago • 2 comments

And issues encountered in https://github.com/iotivity/iotivity-lite/pull/269 , some jobs don't work correctly from forked repository. Namely:

  • ctt-bot.yml - the action doesn't receive secrets -> can be maybe fixed by using pull_request_target instead of pull_request event. EDIT: :heavy_check_mark: yes, pull_request_target works correctly
  • ctt-test.yml - python ../../github_run_ci.py --commit ${{steps.commit.outputs.sha}} fails, I think the issue might be that github_run_ci.py script tries to checkout the iotivity-lite repository with the given sha, but for fork this doesn't exist. However, if the fork is public I think we can make this work, by adding --repository parameter to the script and sending the url of the fork to the script. The script then needs to use the provided repository instead of iotivity-lite. Would that be possible @SiMet / @ondrejtomcik ?
  • sonar-cloud-analysis.yml - for forks secrets are not received, using pull_request_target for checkout is not encouraged for safety reasons; however there might be a way to manually run it using workflow_run event (https://github.com/matrix-org/sonarcloud-workflow-action)

Danielius1922 avatar Aug 26 '22 16:08 Danielius1922

Hi, it's possibile to add new parametr --repository Do you have any sample which I could test?

SiMet avatar Aug 26 '22 21:08 SiMet

Hi, it's possibile to add new parametr --repository Do you have any sample which I could test?

Yes, you can use the PR that revealed this issue - https://github.com/iotivity/iotivity-lite/pull/269 . joochlee's fork is at https://github.com/joochlee/iotivity-lite . Right now running the ctt-test job fails, because I think it cannot find the latest commit in the PR (f9c0d5da69aaf43bd3dab2a6cc37ec25f2d4972e) that's sent as the --commit parameter.

I haven't seen how github_run_ci.py but I think adding something like this should work:

if ${repository} doesn't match github.com/iotivity
  git remote add upstream ${repository} // add the fork as "upstream" remote
  git fetch upstream ${commit} // fetch the commit from the fork
  git merge upstream/${commit} // merge the commit into the base branch
fi

Though we must verify that this is secure. Currently, the automatic jobs from forks don't run immediately, I must click on a "Approve and Run" button and only then the jobs are run. The CTT job runs after adding a label, I don't know what happens when one adds the "OCF Conformance Testing" label to a PR from a fork. If it waits for my approval then we're fine, but if it runs anyway then we have a security issue as @ondrejtomcik said in https://github.com/iotivity/iotivity-lite/pull/303 .

Danielius1922 avatar Aug 27 '22 10:08 Danielius1922